Thanks for checking and for getting this bug knocked out.
I find http://datatracker.ietf.org/wg/tls/documents/ to be a useful
cross checking tool in situations like this. As long as you hit the
major ones that we support, I'm happy.
Thanks,
Brad
On 1/22/2015 10:17 PM, Jamil Nimeh wrote:
I did check some of the other TLS RFCs, particularly 6066, 6961, 4492,
5288 and a few others. There are so many that I'm not 100% certain I
caught them all, but not all apply to JSSE either. In all the RFCs I
looked at, those vectors had upper bounds that matched the maximum value
for its length field.
--Jamil
On 01/22/2015 09:57 PM, Bradford Wetmore wrote:
Jamil,
MAX_LENGTH probably could have been private, but not a big deal.
Nice that it was only SessionID. I did a spot check on the TLS
Extensions and TLS1.0-1.2, do you check on other related TLS RFCs?
Brad
On 1/22/2015 6:27 PM, Xuelei Fan wrote:
Looks fine to me. Thanks!
Xuelei
On 1/23/2015 10:24 AM, Jamil Nimeh wrote:
Hi Xuelei, et al.:
Updated webrev:
http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.02
Thanks,
--Jamil
On 01/22/2015 04:26 PM, Xuelei Fan wrote:
I may use SSLProtocolException if the size of session ID is bigger
than
32. Otherwise, looks fine to me.
Xuelei
On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
Hi all,
This review is to provide length checks on the session ID for SSL/TLS
connections. It appears to be the only vector/array that needs
additional length-checks to make sure it's not exceeding 32 bytes.
Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
Thanks,
--Jamil
